Security Firm: 1.2 Billion Credentials HackedRussian Gang Accused of 'Largest Data Breach Known'
A Russian cyber gang over the past several months has breached over 420,000 web and FTP sites to pilfer over 1.2 billion credentials, according to security firm Hold Security, saying it discovered "what could be arguably the largest data breach known to date."
The security vendor says that the cyber gang amassed over 4.5 billion records, 1.2 billion of which appear to be unique and tied to more than half a billion e-mail addresses.
The cyber gang, dubbed by Hold Security as CyberVor - "vor" is Russian for thief - used botnets to scan hundreds of thousands of websites for known vulnerabilities, Hold Security says. "Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone," the vendor says. "The CyberVors used these vulnerabilities to steal data from these sites' databases.
"To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords," Hold Security says.
CyberVor targeted both small and large companies, the security vendor says. "With hundreds of thousands of sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites," the company says.
To date, the gang behind the attacks has used the stolen information to send spam to people via social networks, including Twitter, Hold Security told The New York Times, which was the first to report the story.
Criminals, of course, have been buying, selling or stealing user IDs, email addresses and passwords for years. But the amount of information alleged to have been amassed by this one gang is unusual. "While amassing databases of compromised accounts is not new, I am not aware of any database of this scale," Dublin-based Brian Honan, an independent information security consultant, tells Information Security Media Group. "There is an active underground market where criminals buy and sell stolen credentials, so a database of this size is quite a valuable asset for the criminals to have."
Tom Kellermann, chief cybersecurity officer at security solutions vendor Trend Micro, says attacks such as these are growing exponentially. And the alleged attackers are no mere hobbyists.
"This Russian crew is formidable and their tactics and organization must be respected," Kellermann says. "The untouchables of the Internet have developed a robust hacker economy of scale in Russia."
Easily Exploitable Vulnerabilities
But at least part of the blame for attackers' success lies with the businesses that were so easily hacked. "Clearly, computer users are putting their trust in the hands of web developers, and hoping that proper steps are being taken to secure personal data," independent security consultant Graham Cluley tells Information Security Media Group. "But many sites are vulnerable to well-known problems, such as SQL injection vulnerabilities."
Where such problems exist, even if consumers pick the world's best and most unique passwords, whether those credentials get stolen remains out of their control. "The best consumers can do is enable additional security measures - such as multi-factor authentication when made available - and ensure that they never reuse the same password or choose a password that is easy to guess or crack," he says. "Those responsible for building and maintaining websites meanwhile may benefit from going back to the classroom, and learning about web security 101."
Al Pascual of Javelin Strategy & Research says that the key message from this report is: Our reliance on passwords has made both consumers and enterprises extremely vulnerable. "Not simply because of the inherently flimsy nature of most passwords, but also how prone we are to reuse the same passwords across multiple logins," Pascual says.
"That this group managed to siphon off that many credentials is very impressive, but there are over 644 million websites on the Internet right now," Pascual adds. " We can't possibly expect all of those 644 million websites to be hardened, but for those businesses that have something to protect, they should assume that the customers and their employees passwords are already in the wrong hands."
Mathew Schwartz and Tracy Kitten contributed to this report.